Merula
Email authentication · June 2026

Error 550 5.7.1 “Message rejected due to DMARC policy” — causes and fixes

What this error means

The receiving mail server rejected your message because it failed DMARC evaluation against your own domain’s published policy. Typical bounce texts:

550 5.7.1 Email rejected per DMARC policy for yourdomain.com
550 5.7.1 Unauthenticated email from yourdomain.com is not accepted
554 5.7.5 Permanent error evaluating DMARC policy

Unlike provider-specific errors, 5.7.1 DMARC rejections can come from any receiving server — Gmail, Microsoft, corporate mail gateways, other businesses. The receiver did exactly what your DMARC record told it to do: your policy says p=reject (or p=quarantine), the message failed both SPF and DKIM alignment, so it was refused.

This error is common in one particular scenario: a business moves to p=reject, and a legitimate sending service that was never properly aligned starts bouncing. The policy isn’t wrong — the inventory was incomplete.

Why you’re seeing it

How to fix it

  1. Determine whether the rejected mail is legitimate. Check the bounce’s message details against your known sending services. If it’s not yours, no fix is needed — file it as evidence the policy is earning its keep.
  2. If legitimate, align the sender: enable DKIM signing with your domain in the service’s settings (the durable fix — DKIM survives forwarding), and/or add it to SPF with correct alignment.
  3. Check subdomains. Every subdomain that sends mail needs its own SPF and DKIM records.
  4. If you moved to enforcement too early, step back to p=quarantine; pct=25 while you complete the sender inventory from aggregate-report data — then return to p=reject. Don’t park at p=none permanently; that re-opens the spoofing hole the policy exists to close.
  5. Read your aggregate reports continuously. They are the only complete record of what passes and fails across all receivers — and the only way to catch the next unaligned sender before enforcement bounces it.

The bigger picture

Enforcement is the destination, not the problem. EU CSIRTs’ standing recommendation — monitor first, then enforce — exists precisely because of this error: the monitoring phase is where you find every legitimate sender before the policy starts rejecting. Across the EU, regulators and large customers increasingly expect enforcement-level DMARC from suppliers; the answer to 5.7.1 bounces is finishing the alignment work, not abandoning the policy.

Merula monitors your SPF, DKIM and DMARC configuration continuously and explains what to align before — and after — you move to p=reject. Merula is in development and launches after summer 2026.